Index: head/stand/ficl.mk
===================================================================
--- head/stand/ficl.mk
+++ head/stand/ficl.mk
@@ -16,3 +16,7 @@
 
 CFLAGS+=	-I${FICLSRC} -I${FICLSRC}/${FICL_CPUARCH} -I${LDRSRC}
 CFLAGS+=	-DBF_DICTSIZE=15000
+
+.if ${MK_LOADER_VERIEXEC} != "no"
+CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
+.endif
Index: head/stand/ficl/loader.c
===================================================================
--- head/stand/ficl/loader.c
+++ head/stand/ficl/loader.c
@@ -502,6 +502,23 @@
 
     /* open the file */
     fd = open(name, mode);
+#ifdef LOADER_VERIEXEC
+    if (fd >= 0) {
+	if (verify_file(fd, name, 0, VE_GUESS) < 0) {
+	    /* not verified writing ok but reading is not */
+	    if ((mode & O_ACCMODE) != O_WRONLY) {
+		close(fd);
+		fd = -1;
+	    }
+	} else {
+	    /* verified reading ok but writing is not */
+	    if ((mode & O_ACCMODE) != O_RDONLY) {
+		close(fd);
+		fd = -1;
+	    }
+	}
+    }
+#endif
     free(name);
     stackPushINT(pVM->pStack, fd);
     return;
Index: head/stand/libsa/stand.h
===================================================================
--- head/stand/libsa/stand.h
+++ head/stand/libsa/stand.h
@@ -286,6 +286,7 @@
 #define	O_RDONLY	0x0
 #define O_WRONLY	0x1
 #define O_RDWR		0x2
+#define O_ACCMODE	0x3
 /* NOT IMPLEMENTED */
 #define	O_CREAT		0x0200		/* create if nonexistent */
 #define	O_TRUNC		0x0400		/* truncate to zero length */